dcrat | 17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491

Analysis

max time kernel
99s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Size

1.7MB
MD5

3fba7f79ef350176d3df69eadadad6d0
SHA1

287507f1ec455c36c70ba2a8923b9834a3849376
SHA256

17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491
SHA512

fd2cbf1407ea0931b8b2ab3c47e9586113d395c8ef3e311ada6405f5cf8a20b1c16dfa1c1b4a1d1a266c0e5ab784fafd127cce194546cd99263ddc3fcb48c748
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5448	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5612	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5808	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5872	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6032	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	3140	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3140	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1996-1-0x0000000000150000-0x0000000000306000-memory.dmp	dcrat
behavioral2/files/0x000c000000023b1d-31.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1648	powershell.exe
4680	powershell.exe
4512	powershell.exe
1292	powershell.exe
5396	powershell.exe
3584	powershell.exe
5100	powershell.exe
852	powershell.exe
2720	powershell.exe
5392	powershell.exe
5412	powershell.exe
5428	powershell.exe
2308	powershell.exe
1840	powershell.exe
2924	powershell.exe
5444	powershell.exe
5408	powershell.exe
5488	powershell.exe
5436	powershell.exe
3480	powershell.exe
5368	powershell.exe
5188	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 3 IoCs

pid	Process
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
660	conhost.exe
3680	conhost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\9e8d7a4ca61bd9	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\powershell.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backgroundTaskHost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\Windows Mail\powershell.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backgroundTaskHost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\RuntimeBroker.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\Windows Mail\e978f868350d50	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\088424020bedd6	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\eddb19405b7ce1	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RuntimeBroker.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e978f868350d50	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\security\ApplicationId\PolicyManagement\088424020bedd6	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\fr-FR\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Windows\fr-FR\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\ServiceState\EventLog\Data\upfc.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\OCR\services.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\fr-FR\088424020bedd6	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File opened for modification	C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
File created	C:\Windows\System\Speech\sihost.exe	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3344	schtasks.exe
2544	schtasks.exe
5320	schtasks.exe
5464	schtasks.exe
3344	schtasks.exe
5288	schtasks.exe
5408	schtasks.exe
5416	schtasks.exe
5476	schtasks.exe
5684	schtasks.exe
5652	schtasks.exe
5728	schtasks.exe
5764	schtasks.exe
5984	schtasks.exe
5264	schtasks.exe
5776	schtasks.exe
5808	schtasks.exe
6048	schtasks.exe
6120	schtasks.exe
5344	schtasks.exe
5708	schtasks.exe
5828	schtasks.exe
5968	schtasks.exe
6072	schtasks.exe
5872	schtasks.exe
5924	schtasks.exe
6100	schtasks.exe
2016	schtasks.exe
4452	schtasks.exe
5296	schtasks.exe
5384	schtasks.exe
5752	schtasks.exe
6000	schtasks.exe
1284	schtasks.exe
4024	schtasks.exe
5360	schtasks.exe
5448	schtasks.exe
5628	schtasks.exe
5612	schtasks.exe
5852	schtasks.exe
5900	schtasks.exe
6032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1648	powershell.exe
1648	powershell.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
4680	powershell.exe
4680	powershell.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
3480	powershell.exe
3480	powershell.exe
5100	powershell.exe
5100	powershell.exe
4512	powershell.exe
4512	powershell.exe
2924	powershell.exe
2924	powershell.exe
2720	powershell.exe
2720	powershell.exe
852	powershell.exe
852	powershell.exe
2308	powershell.exe
2308	powershell.exe
1292	powershell.exe
1292	powershell.exe
1840	powershell.exe
1840	powershell.exe
852	powershell.exe
1292	powershell.exe
1648	powershell.exe
5100	powershell.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
4512	powershell.exe
2720	powershell.exe
3480	powershell.exe
4680	powershell.exe
2308	powershell.exe
2924	powershell.exe
1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
1840	powershell.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
Token: SeDebugPrivilege	5444	powershell.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	5392	powershell.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	660	conhost.exe
Token: SeDebugPrivilege	3680	conhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2308	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	96
PID 1996 wrote to memory of 2308	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	96
PID 1996 wrote to memory of 1840	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	97
PID 1996 wrote to memory of 1840	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	97
PID 1996 wrote to memory of 5100	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	98
PID 1996 wrote to memory of 5100	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	98
PID 1996 wrote to memory of 1648	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	99
PID 1996 wrote to memory of 1648	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	99
PID 1996 wrote to memory of 2924	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	100
PID 1996 wrote to memory of 2924	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	100
PID 1996 wrote to memory of 852	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	101
PID 1996 wrote to memory of 852	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	101
PID 1996 wrote to memory of 3480	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	102
PID 1996 wrote to memory of 3480	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	102
PID 1996 wrote to memory of 2720	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	103
PID 1996 wrote to memory of 2720	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	103
PID 1996 wrote to memory of 4680	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	104
PID 1996 wrote to memory of 4680	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	104
PID 1996 wrote to memory of 4512	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	105
PID 1996 wrote to memory of 4512	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	105
PID 1996 wrote to memory of 1292	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	106
PID 1996 wrote to memory of 1292	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	106
PID 1996 wrote to memory of 860	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	119
PID 1996 wrote to memory of 860	1996	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	119
PID 860 wrote to memory of 5368	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	160
PID 860 wrote to memory of 5368	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	160
PID 860 wrote to memory of 5396	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	161
PID 860 wrote to memory of 5396	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	161
PID 860 wrote to memory of 5444	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	162
PID 860 wrote to memory of 5444	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	162
PID 860 wrote to memory of 5392	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	163
PID 860 wrote to memory of 5392	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	163
PID 860 wrote to memory of 5188	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	164
PID 860 wrote to memory of 5188	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	164
PID 860 wrote to memory of 5412	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	165
PID 860 wrote to memory of 5412	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	165
PID 860 wrote to memory of 5408	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	166
PID 860 wrote to memory of 5408	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	166
PID 860 wrote to memory of 5488	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	167
PID 860 wrote to memory of 5488	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	167
PID 860 wrote to memory of 3584	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	168
PID 860 wrote to memory of 3584	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	168
PID 860 wrote to memory of 5436	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	169
PID 860 wrote to memory of 5436	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	169
PID 860 wrote to memory of 5428	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	170
PID 860 wrote to memory of 5428	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	170
PID 860 wrote to memory of 660	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	182
PID 860 wrote to memory of 660	860	17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe	182
PID 660 wrote to memory of 3884	660	conhost.exe	183
PID 660 wrote to memory of 3884	660	conhost.exe	183
PID 660 wrote to memory of 4024	660	conhost.exe	184
PID 660 wrote to memory of 4024	660	conhost.exe	184
PID 3884 wrote to memory of 3680	3884	WScript.exe	185
PID 3884 wrote to memory of 3680	3884	WScript.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
"C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe
  "C:\Users\Admin\AppData\Local\Temp\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5428
- - C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe
    "C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a12d96-6f03-4db7-9833-771e2c443557.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe
        
        C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26de552-7c2a-4cda-92af-25ebc4e2668e.vbs"
      4⤵
      PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N1" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N1" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\winlogon.exe

Filesize
1.7MB

MD5
3fba7f79ef350176d3df69eadadad6d0

SHA1
287507f1ec455c36c70ba2a8923b9834a3849376

SHA256
17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491

SHA512
fd2cbf1407ea0931b8b2ab3c47e9586113d395c8ef3e311ada6405f5cf8a20b1c16dfa1c1b4a1d1a266c0e5ab784fafd127cce194546cd99263ddc3fcb48c748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\17988d10c91dc34a69637964b5afdb3800e23ddf13219985235aff4f0d712491N.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a5e2ea38e19509df780528ad021691

SHA1
3e2146c2d4da01eacac8dd31e5bc5d807f2dc4b2

SHA256
81ed7cf7ca545b88070b45dc3557164201528e5e777b3dd94b0c151c9648f313

SHA512
50d4d8601a4c370c5b63e77a20522299f39e5b3eae7f1ee9948489b9eee46faa14bdf3f3e65eee335354cef7a81f6df48b80a2ec7ec34f373ec86369d8c0d0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\21a12d96-6f03-4db7-9833-771e2c443557.vbs

Filesize
737B

MD5
d6a175cf63644aa5f46fb315f82dab41

SHA1
f132d747505c3e738311578cd5a230dc9f43070c

SHA256
838f84c764c9fbc7250cc1c4730cba13dced39e279e8adb6a44fb4560276ab55

SHA512
3ad25f3abd1edd4e55fb5cdd90f4361e88733bbf2b14d194b0d19aab83ee28464264f2969f77cd6f526ecb9736688936547889a5c824998be2dca8bbc32d3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_czuasq5w.woa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a26de552-7c2a-4cda-92af-25ebc4e2668e.vbs

Filesize
514B

MD5
c014105039b1994e69df599e6d34df64

SHA1
ad68289e8bce9d09982178757fb0c3efef53af92

SHA256
83c2da965544d8c897be1f6952bc4d3724bad385576ab92370a774138729c220

SHA512
a530d445306d9c029c9b8f903cdb024f4f7e81dd34d9ecd8dd45bfdb0670f96865f54c80f771314e8bcb65ba185359c7b754dbb1ac4042ed9c1b58b51f94d7cf

Download Submit
memory/860-159-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/1648-64-0x0000018BC9390000-0x0000018BC93B2000-memory.dmp

Filesize
136KB

Download
memory/1996-16-0x000000001B980000-0x000000001B988000-memory.dmp

Filesize
32KB

Download
memory/1996-19-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/1996-22-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/1996-8-0x000000001AF70000-0x000000001AF82000-memory.dmp

Filesize
72KB

Download
memory/1996-158-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/1996-18-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/1996-6-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/1996-4-0x000000001B5C0000-0x000000001B610000-memory.dmp

Filesize
320KB

Download
memory/1996-3-0x00000000024D0000-0x00000000024EC000-memory.dmp

Filesize
112KB

Download
memory/1996-2-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/1996-0-0x00007FFC72ED3000-0x00007FFC72ED5000-memory.dmp

Filesize
8KB

Download
memory/1996-7-0x000000001AF50000-0x000000001AF66000-memory.dmp

Filesize
88KB

Download
memory/1996-5-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/1996-17-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/1996-14-0x000000001B920000-0x000000001B92C000-memory.dmp

Filesize
48KB

Download
memory/1996-15-0x000000001B930000-0x000000001B93A000-memory.dmp

Filesize
40KB

Download
memory/1996-13-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/1996-11-0x000000001AF90000-0x000000001AF98000-memory.dmp

Filesize
32KB

Download
memory/1996-10-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/1996-9-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/1996-1-0x0000000000150000-0x0000000000306000-memory.dmp

Filesize
1.7MB

Download
memory/3680-422-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download